A user who has this privilege via some role is allowed to restart any forest.

Granular privileges allow more fine-grained approach to execute privileges. When assigning privileges to roles, you may not only specify a privilege to perform a specific action but also identify a specific resource this privilege is applicable to.

For example, you may allow a user to restart a specific forest by assigning one of the following privileges to this user's role:

where {forest-id} is the forest identifier and {database-id} is the identifier of the database using the forest.

You can create an appropriate fine-grained privilege, assign it to some role, and assign that role to a user. Then the user will be able to restart the specified forest, or forests in the specified database.

A privilege of this category grants a user an ability to read/write any configuration file (for example, call to xdmp:write-cluster-config-file()). This privilege is specific to the operation (for example, "write") and the scope (for example, "cluster"). The combination of the two values is a specific privilege (for example, http://marklogic.com/xdmp/privileges/xdmp-write-cluster-config-file).

A privilege of this category grants a user an ability to write a particular configuration file (for example, databases.xml). This privilege is specific to the operation (for example, "write"), scope (for example, "cluster"), and the configuration file (for example, "databases.xml"). The combination of the three values is a specific privilege (for example, http://marklogic.com/xdmp/privileges/xdmp-write-cluster-config-file/databases.xml).

A privilege of this category grants a user an ability to administer a set of resources (for example, databases). This privilege is specific to the resource set (for example, "databases"), which defines the specific privilege (for example, http://marklogic.com/xdmp/privileges/admin/database). This privilege may imply the privilege to read and write a specific configuration file.

Privileges of this category are pre-defined and included with every installation of MarkLogic Server. You can view them in the Execute Privileges Summary page of the Admin Interface (see instructions in Viewing an Execute Privilege section of the Administrator's Guide).

A privilege of this category grants a user an ability to administer a specific resource (for example, a database with the specified identifier). This privilege is granted by suffixing the administrator privilege for that kind of resource (for example, "database") with the specific identifier (for example, "{database-id}"), which results in the specific privilege (for example, http://marklogic.com/xdmp/privileges/admin/database/{database-id}). This privilege may imply the privilege to read and write a portion of a configuration file. It also grants the ability to call various built-in functions for specific resources (for example, http://marklogic.com/xdmp/privileges/xdmp-forest-clear/forest/{forest-id} privilege allows calls to xdmp:forest-clear() for that forest identifier).

A privilege of this category grants a user an ability to administer a specific aspect (for example, backup) of a set of resources (for example, databases). This privilege is granted by suffixing the administrator privilege for that kind of resource (for example, "database") with the specific aspect (for example, "backup"), which results in the specific privilege (for example, http://marklogic.com/xdmp/privileges/admin/database/backup). This privilege may imply the privilege to read and write a portion of a configuration file.

A privilege of this category grants a user an ability to administer a specific aspect (for example, backup) of a specific resource (for example, the database with identifier {database-id}). This privilege is granted by suffixing the privilege for the specific aspect (for example, "backup") of that kind of resource (for example, "database") with the specific identifier (for example, "{database-id}"), which results in the specific privilege (for example, http://marklogic.com/xdmp/privileges/admin/database/backup/{database-id}). This privilege may imply the privilege to read and write a portion of a configuration file.

For example, to create a granular privilege that grants a user an ability to administer a specific aspect (for example, backup) of a set of resources (for example, forests), perform the following steps:

Use the Admin Interface to create an execute privilege named admin-forest-backup.

Assign the action URI http://marklogic.com/xdmp/privileges/admin/forest/backup to the privilege.

Assign the privilege to the desired role or roles. You may want to create a specific role for this privilege depending on your security requirements.

The following screenshot depicts the New Execute Privilege page with the above parameters:

You will not be able to create a granular privilege that grants a user an ability to administer a specific resource (for example, a forest with the specified identifier) in the manner described above, because resource identifiers are not exposed in the Admin Interface. To create a granular privilege of this type (for example, http://marklogic.com/xdmp/privileges/admin/forest/{forest-id}), you need to use the functions of XQuery API security module, as described in the following section Configure Granular Privileges via the XQuery API Security Module.

Using the Admin Interface, create users user1, user2, and user3 with roles role1, role2, and role3 correspondingly. For details on creating users and assigning roles to them, see Creating a User section of the Administrator's Guide.

This section includes examples in XQuery that you may run for user1, user2, and user3 from the Query Console and observe different results depending on the user's privileges. The results are discussed in detail in the next section Test It Out.

Using the Query Console, you can execute Scenario 1, Scenario 2, and Scenario 3 for each one of the users user1, user2, and user3. The results of the execution are presented in the table below:

User

Role

Scenario

Result

user1

role1

Add range index to database db1

Success

user1

role1

Add range index to database db2

Success

user1

role1

Add backup for database db1

Failure

user2

role2

Add range index to database db1

Success

user2

role2

Add range index to database db2

Failure

user2

role2

Add backup for database db1

Success

user3

role3

Add range index to database db1

Success

user3

role3

Add range index to database db2

Failure

user3

role3

Add backup for database db1

Failure

The following analysis explains the above results:

The user user1 successfully adds indexes to both databases db1 and db2, but fails to add backup to database db1, because the user's role1 has granular privilege http://marklogic.com/xdmp/privileges/admin/database/index that allows to add indexes to any database but does not allow other operations on databases.

The user user2 successfully adds both index and backup to database db1, but fails to add index to database db2, because the user's role2 has granular privilege http://marklogic.com/xdmp/privileges/admin/database/<db1_identifier> that allows to perform any operation on database db1 but does not allow operations on other databases.

The user user3 successfully adds index to database db1, but fails to add index to database db2 and to add backup to database db1, because the user's role3 has granular privilege http://marklogic.com/xdmp/privileges/admin/database/index/<db1_identifier> that allows to add indexes to database db1 but does not allow any other operation on database db1 and does not allow any operation on other databases as well.